Re: Does .NET detect alterations to an assembly?

From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 02/14/03 

Date: Fri, 14 Feb 2003 17:01:49 -0500
From: "Michel Gallant (MVP)" <neutron@istar.ca>

That paragraph seems to indicate that the hash inclusion and verification
at assembly-loading is ALWAYS done, even without any strong name
or Authenticode signature.
This should be easy to check ...
 - Mitch

David Thom wrote:

> It's still not clear whether the hash-check is done whether or not the
> assembly is signed/strong-named.
>
> The quotation you included in your reply appears to be in the context of a
> signed/strong-named assembly.
>
> But is hash-checking also done for "plain" assemblies?
>
> David Thom
>
> "Michel Gallant (MVP)" <neutron@istar.ca> wrote in message
> news:3E4D3FFF.D485E045@istar.ca...
> > see also:
> >
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
> l/cpconassembliessecurityconsiderations.asp
> >
> > "The common language runtime also performs a hash verification; the
> assembly
> > manifest contains a list of all files that make up the assembly, including
> a hash
> > of each file as it existed when the manifest was built. As each file is
> loaded,
> > its contents are hashed and compared with the hash value stored in the
> manifest.
> > If the two hashes do not match, the assembly fails to load. "
> >
> > - Mitch
> >
> >
> > "Shawn Farkas [MS]" wrote:
> >
> > > David,
> > >
> > > If you sign your assembly, then the framework will detect if it has
> been
> > > tampered with, and refuse to load it.
> > >
> > > -Shawn
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > > Please do not send email directly to this alias, this alias is for
> newsgroup
> > > purposes only.
> > >
> > > "David Thom" <davidt@npsinc.com> wrote in message
> > > news:uk8oMSD1CHA.1644@TK2MSFTNGP12...
> > > > If an assembly were altered - say, with a hex editor - does .NET
> detect
> > > the
> > > > alteration?
> > > >
> > > > If, for example, we embed a string value in a .NET assembly, can it be
> > > > changed by a hacker? (we don't care if it can be viewed, we just don't
> > > want
> > > > it to be changed).
> > > >
> > > > I seem to recall that .NET assemblies have a "hash count/code" to
> protect
> > > > against this. But I don't know if that "feature" requires code signing
> or
> > > > some other overt action on the developer's/deployer's part in order to
> > > > activate it.
> > > >
> > > > If I simply create a .NET assembly and do nothing else, is it
> protected
> > > > against modification? Or should I say, will the alteration at least
> be
> > > > detected?
> > > >
> > > > Thanks!
> > > >
> > > > David Thom
> > > >
> > > >
> > > >
> > > >
> >